Antidote for RFPoison (Followup to RFP9906) Recently I released RFP9906: NT denial of service in services.exe (RFPoison). I included a limited sample exploit that would demonstrate the problem. Since then, I've worked with a few individuals and confirmed some configurations what will protect your system.
7d04c58afabcfae0c9ad8108d86888643b7d5e722aed854e013a8a8b7ccdde5e
Services.exe DoS ported to python. This only seems to work on NT. Also, it may have to be run multiple times before SERVICES.EXE will die. Ported by nas.
3b9d830eb936de7fad335758f8b37d44a5c53ec539339d1bcac9874a2ef814f6
Advisory RFP9907 - You, your servers, RDS, and thousands of script kiddies. .gov, .mil, and even microsoft.com haven fallen lately to the hands of website defacers. Turns out, it's all been because of RDS. This paper is the straight story on fixing the RDS hole.
a1562ec8e6c3de504d8609d33290529e67aa77bd45c35abf8a3f834df5775bd8
MSADC/RDS exploit script version 2.
a24edf16f5e5055b6474324b0bffe2534dbf1db3fd73eb604a0b5591fb1a750d
whisker is what I've dubbed a 'next generation' CGI scanner. It is Scriptable. It's a programming-ish language that is tailored to do lots of flexible web scanning. Very stealthy. I've implemented anti-IDS checks into the scan. Whatmore, I've tested it...and let's just say I haven't seen an IDS so far catch a scan when all the IDS evasion switches are used. ;) Includes over 130 checks. Lots of options. Reads in nmap output, files full of domains, or single host. Virtual host support. Proxy support.
e3c18aa0b2882ee55dd870b64b7718820c0d6ccb6f21f1c1dd574f1ea506fe7f
Windows NT remote denial of service and compromise (RFPoison). When sent a specific packet, it's possible to get srvsvc.dll to choke, and cause services.exe to reference a bad memory location. The impact is pretty severe. Services.exe handles named pipes for the system. Once this crashes, everything named-pipe-based goes with it. Combined with the AEDebug vulnerability, remote compromise is possible.
30fdab853650e808fbeaf377b9dc6694e8c922c4a560d2c7c3d2c1b33d0ec56a
Zeus is a high-performance webserver available from Zeus Technologies (www.zeus.co.uk). There's a myriad of problems, that when combined together, could yield a remote root compromise.
65d6f38cd31d99a0d42671ac5798e0b7297ec2bffefafb358fe4c9721a74e92b
Windows 95 updated RDS exploit.
149a610621db59471d4420731c09658ea691396164cc0d8d1ac34ce2e22ef793
nmapstub-1.c (shell version) - This file reads in nmap (v2.x human) output, puts it into port and host structures, and then can call whatever routines you want (per host) to check for exploits, etc.
603ab0e39a01c904c74c243d13e5e1dd5507840d7175b8eefb46022e7fe3ff30
nmapstub.pl (Perl version) - This file reads in nmap (v2.x human) output, puts it into port and host structures, and then can call whatever routines you want (per host) to check for exploits, etc.
9eec95df46627f3dd083c753b015c8efe211bd6294035d83d4a1d8e1e06fc21b
Latest release on rfp's perl-based nmap stub. This program reads in nmap output and parses it into easy to use structures that you can use in your code.
778f5df29eb9440ab9cf1fdc25aa0f4d944509189388f05e04b7d2b96d12e843
Cold Fusion v4.0 security - A variety of security holes described in Cold Fusion v4.0.
230ff3e0a74a6aa551135eb38cf3d5bd7af5e943be271533a4de040b6cca45df